#######################################################################
Luigi Auriemma
Application: OpenBOR
http://www.openbor.net
Beats of Rage
http://www.senileteam.com
HOR: Horizontal Shooter BOR
http://openbor.net/hor/
Versions: OpenBOR <= 2.0046
BOR <= 1.0029
HOR <= 2.0000
Platforms: Dreamcast, GP32, PSP, Palm OS, Pocket PC, GP2X, Amiga,
Linux, PC, Playstation 2 and Xbox
Bug: format string vulnerabilities
Exploitation: local
Date: 20 May 2006
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Beats of Rage (BOR) is a very nice open source beat'em up engine
developed by Senile Team (http://www.senileteam.com) and inspired by
games like "Streets of Rage" and "the King of Fighters".
It works on many platforms and supports mods:
http://borrevolution.vg-network.com
http://www.borhosting.com
#######################################################################
======
2) Bug
======
Exist some format string vulnerabilities in BOR which can be exploited
through malicious mod files.
The following are the pieces of code containing the bugs, anyway the
most used functions are just shutdown (used to kill the game at its end
or when an error is occurred) and update (for showing the text on the
screen through the font_printf function):
void shutdown(char *msg, ...){
static char buf[2048];
va_list arglist;
va_start(arglist, msg);
vsprintf(buf, msg, arglist);
va_end(arglist);
...
printf("Done.\n\n\n\n");
printf(buf);
exit(0);
}
From predrawstatus():
font_printf(21+xo, savedata.windowpos+19, 0, player[i].opponent->name);
...
else if(player[i].joining && player[i].model){
font_printf(21+xo, savedata.windowpos+2, 0, player[i].model->name);
...
From update():
font_printf(0,230, 0, debug_msg);
From choose_difficulty:
if(savedata.times_completed >= ifcomplete[i]) font_printf(120,160+i*10, (selector==i), set_names[i]);
#######################################################################
===========
3) The Code
===========
Take an existing mod and:
- add the following line in data/scenes/intro.txt:
music %08x.%08x.%08x.%08x 0
- add the following line in data/easy/1aeasy.txt:
background %08x.%08x.%08x.%08x
The first operation exploits the format string in the update function
when the game starts and the intro is automatically launched.
The second one instead exploits the bug located in the shutdown
function when the Easy level is selected and the character is chosen.
For extracting and rebuilding the PAK files is possible to use the
following tool:
http://aluigi.org/papers/borpak.zip
#######################################################################
======
4) Fix
======
No fix.
BOR is no longer supported while OpenBOR yes but I have received no
replies from its developers.
#######################################################################